Requirements and Limitations

The KMS feature has the following requirements and limitations:

  • The feature is included in the Veeam Data Platform Advanced or Premium License. For more details about all license types, see Veeam Data Platform Feature Comparison. Data decryption is available for all licenses.
  • Veeam Backup & Replication supports KMS servers that meet the following requirements:
  • Key Management Interoperability Protocol (KMIP) Profile v1.4 or earlier versions (1.2 to 1.4 are preferable). Later versions of KMIP Profiles are not supported by Veeam Backup & Replication.
  • Requirements for a baseline server. For more information, see the Baseline Server section in the KMIP Profile standard.
  • Requirements for an asymmetric key lifecycle server. For more information, see the Asymmetric Key Lifecycle Server section in the KMIP Profile standard.

Tip

The list of tested KMS solutions includes the following vendor product lines:

  • Thales CipherTrust Manager k170v 2.10.0+7973 and later
  • Fortanix Data Security Manager KMS 4.20.2274 and later (Public Cloud solution)
  • IBM Security Guardium Key Lifecycle Manager (GKLM) 4.1.1.0 and later
  • To decrypt data, the KMS server must support:
    • Requirements for a basic cryptographic server. For more information, see the Basic Cryptographic Server section in the KMIP Profile standard.
    • SHA-1 hashing algorithm.
    • Optimal Asymmetric Encryption Padding (OAEP).

In other cases, Veeam Backup & Replication will retrieve private keys from the KMS server to decrypt backup files. These keys are not stored in the configuration database and deleted immediately after decryption.

  • [For Cloud Connect] To use the KMS feature in the Veeam Cloud Connect environment, both a service provider and a tenant must run Veeam Backup & Replication 12.1 (build 12.1.0.2131) or later.
  • [For Cloud Connect] If a tenant uses the same KMS server as a service provider, backup files stored in the tenant quota cannot be decrypted on the service provider side.

Page updated 2/22/2024

Page content applies to build 12.1.2.172